This dangerous malware is able to hijack your Google Account by reviving cookies
A serious exploit affecting Google services that is being used to grant threat actors access to Google Accounts has been uncovered by cybersecurity company CloudSEK.
The exploit, which was identified in October 2023, enables continuous access to Google services even after a victim resets their password.
The malware has “rapidly spread” to a various malware groups, including Lumma, Rhadamanthys, Risepro, Meduza, Stealc, and White Snake.
Google account hijacking malware spreads rapidly
CloudSEK says the exploit allows the generation of persistent Google cookies through token manipulation, giving a threat actor continuous access to a victim’s account.
Since information about the vulnerability was exposed in October, a growing list of threat actors have been incorporating the exploit into their infostealers and malware to get access to Google accounts. At least six groups are now actively exploiting the vulnerability with their own malware.
CloudSEK’s analysis confirms that the Google OAuth endpoint, MultiLogin, which is designed to synchronize Google Accounts across services and give users a consistent user experience, is part of the key used by threat actors to break into Google Accounts.
Reverse engineering has revealed that the malware targets the token_service table of Chrome’s WebData to extract tokens and account IDs from Chrome profiles.
Threat actors can use the stolen information to regenerate session cookies, which are designed to have a limited lifespan, to unlock access to a victim’s account.
Reporting by Bleeping Computer reveals that one group, Lumma, has already updated the exploit to counteract Google’s mitigations, indicating that Google is already aware of the exploit. By the looks of it, though, Lumma has outsmarted the company – for now.
TechRadar Pro has asked Google for more information on how users can protect themselves and whether the company will release any additional protective measures. In the meantime, users can avoid a lot of cybersecurity problems just by being careful about what they download – a lot of malware is actually ‘voluntarily’ downloaded (intentionally or unintentionally) by the victim.
More from TechRadar Pro
A serious exploit affecting Google services that is being used to grant threat actors access to Google Accounts has been uncovered by cybersecurity company CloudSEK. The exploit, which was identified in October 2023, enables continuous access to Google services even after a victim resets their password. The malware has “rapidly…
Recent Posts
- REI’s anniversary sale is slashing prices on some of the best Garmin watches
- New video of ‘revolutionary’ ceramic storage technology emerges — Cerabyte’s improved prototype gives me hope that affordable Exabyte-class storage racks are coming sooner than expected
- Surface Pro 10 for Business review: A safe upgrade for IT workers
- iPad Pro users are noticing a weird grainy effect in the tandem OLED display – but is it a glitch?
- ChatGPT lets users upload from Google Drive and OneDrive directly
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011